backend/template/resources.gohtml (1)

10-11: Consider pinning Bootstrap Icons to a specific version.

The Bootstrap Icons CDN link uses version 1.7.2, which is several years old (released ~2021). Consider either:

1. Updating to the latest stable version for bug fixes and new icons
2. Adding a subresource integrity (SRI) hash for the specified version

-    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.7.2/font/bootstrap-icons.css">
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.css" integrity="sha384-..." crossorigin="anonymous">

You can generate the SRI hash at https://www.srihash.org/

pkg/konnector/controllers/cluster/namespacelifecycle/namespacelifecycle_controller.go (1)

237-254: Clarify intended behavior for namespace cleanup on APIServiceNamespace deletion.

When an APIServiceNamespace is deleted (lines 239-254), the code checks if the corresponding Namespace exists but then does not delete it, stating "we can't be sure who owns it" (line 251). This could leave orphaned namespaces in the consumer cluster.

Is this the intended behavior? Consider:

1. If the APIServiceNamespace had the ObjectOwnerLabel, that information is now lost (since the object is deleted), making it impossible to determine ownership
2. This conservative approach prevents accidental deletion but may require manual cleanup

Suggested alternatives:

• Use a finalizer on APIServiceNamespace to determine ownership before deletion
• Add owner references or labels to the Namespace itself to track ownership
• Document this behavior and provide a cleanup tool for operators

Do you want to track this as a known limitation, or should we implement one of the alternatives?

sdk/apis/catalog/v1alpha1/collection_types.go (1)

71-78: Consider adding validation for module name format.

The ModuleReference.Name field is marked as required but doesn't specify format validation. Should it validate that the name references an actual Module resource?

Consider adding:

1. Pattern validation to match Kubernetes resource name constraints
2. A CEL validation rule to check that the referenced Module exists (if cross-resource validation is supported in your environment)

 type ModuleReference struct {
 	// name is the name of the module.
 	//
 	// +required
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
+	// +kubebuilder:validation:MaxLength=253
 	Name string `json:"name"`
 }

Validating the reference exists would require a validating webhook or CEL rule, which may be out of scope for this PR.

contrib/kcp/deploy/resources/apiresourceschema-apiservicebindings.kube-bind.io.yaml (1)

377-399: Pluralization is correct; fix descriptions and consider list keys + optional CEL.

• Descriptions still say “NamedResource” (singular). Align wording with the plural field.
• For deterministic merges/dedup, make the list a map keyed by name/namespace.
• If selector.labelSelector and selector.namedResources are intended to be mutually exclusive, add a CEL rule (optional).

Apply within this block:

-                      namedResources:
-                        description: NamedResource is a shorthand for selecting a
-                          single resource by name and namespace.
+                      namedResources:
+                        description: NamedResources is a shorthand for selecting specific
+                          resources by name and namespace.
+                        x-kubernetes-list-type: map
+                        x-kubernetes-list-map-keys:
+                        - name
+                        - namespace
                         items:
-                          description: NamedResource selects a specific resource by
-                            name and namespace.
+                          description: A NamedResource item selects a specific resource by
+                            name and namespace.

If mutually exclusive with labelSelector, add under selector (outside this range):

# under: selector:
x-kubernetes-validations:
- rule: "has(self.labelSelector) != has(self.namedResources)"
  message: "Provide either labelSelector or namedResources, not both."

Please confirm exclusivity intent; I can send a full patch accordingly.

pkg/konnector/controllers/cluster/claimedresources/claimedresources_reconciler.go (1)

186-187: LGTM! Good refactoring to use public constant.

Replacing the hardcoded label key "kube-bind.io/owner" with the public constant kubebindv1alpha2.ObjectOwnerLabel improves maintainability and eliminates potential typos. The behavior remains unchanged.

Also applies to: 195-196, 238-238, 251-251

docs/content/usage/index.md (1)

125-125: Minor grammar issue: hyphenate compound adjective.

As per the static analysis hint, "Label Selector Based" should be hyphenated when used as a compound adjective before a noun.

Apply this diff:

-### Label Selector Based Claims
+### Label-Selector-Based Claims

backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go (2)

376-405: Optional: rename param to avoid shadowing package name.

Rename cache cache.Cache to infCache cache.Cache for readability and to avoid shadowing the imported package.

-func (r *reconciler) ensureAPIServiceNamespaces(ctx context.Context, cl client.Client, cache cache.Cache, req *kubebindv1alpha2.APIServiceExportRequest) error {
+func (r *reconciler) ensureAPIServiceNamespaces(ctx context.Context, cl client.Client, infCache cache.Cache, req *kubebindv1alpha2.APIServiceExportRequest) error {
-    err := cache.Get(ctx, client.ObjectKey{Namespace: apiServiceNamespace.Namespace, Name: apiServiceNamespace.Name}, currentAPIServiceNamespace)
+    err := infCache.Get(ctx, client.ObjectKey{Namespace: apiServiceNamespace.Namespace, Name: apiServiceNamespace.Name}, currentAPIServiceNamespace)

---

73-76: Consider status/condition for namespace provisioning.

Add a condition (e.g., NamespacesReady) to reflect progress/errors per requested namespace.

If desired, I can draft the condition plumbing.

deploy/crd/catalog.kube-bind.io_collections.yaml (1)

58-71: Enforce uniqueness for spec.modules via list-map keys

To prevent duplicate module references and get merge-friendly patches, model modules as a map-by-name.

Apply this diff:

   modules:
     description: modules is a list of module references that are part
       of this collection.
     items:
       description: ModuleReference references a Module by name.
       properties:
         name:
           description: name is the name of the module.
           type: string
       required:
       - name
       type: object
-    minItems: 1
-    type: array
+    minItems: 1
+    type: array
+    x-kubernetes-list-type: map
+    x-kubernetes-list-map-keys:
+    - name

cli/pkg/kubectl/bind-apiservice/plugin/servicebindings.go (1)

54-55: Avoid hardcoding kube-bind namespace for the secret (if configurable)

If the secret’s namespace can vary across environments, avoid a hard-coded check; compare against the intended namespace source, or make it an option.

Consider:

• Pass the expected namespace into this function, or
• Compare against request.Spec.Namespaces (if present in v1alpha2) or another config source.

deploy/crd/kube-bind.io_apiserviceexports.yaml (1)

567-589: Pluralized field namedResources still uses singular wording; add list-map keys for dedupe

Update description to plural and consider enforcing uniqueness by (namespace,name).

Apply this diff:

-                        namedResources:
-                          description: NamedResource is a shorthand for selecting
-                            a single resource by name and namespace.
+                        namedResources:
+                          description: NamedResources is a shorthand for selecting
+                            specific resources by name and namespace.
                           items:
                             description: NamedResource selects a specific resource
                               by name and namespace.
                             properties:
@@
                           type: array
+                          x-kubernetes-list-type: map
+                          x-kubernetes-list-map-keys:
+                          - namespace
+                          - name

deploy/crd/catalog.kube-bind.io_modules.yaml (1)

203-212: Redundant but harmless scope validation.

The allOf contains two identical enum lists (just in different orders). This is redundant but doesn't affect functionality—it's likely generated by kubebuilder.

Simplify to a single enum:

-            allOf:
-            - enum:
-              - Cluster
-              - Namespaced
-            - enum:
-              - Namespaced
-              - Cluster
+            enum:
+            - Cluster
+            - Namespaced

sdk/apis/catalog/v1alpha1/module_types.go (1)

60-64: Optional: remove omitempty on required field.

scope is required; omitempty is misleading (marshalling only). Safe to drop.

- Scope kubebindv1alpha2.InformerScope `json:"scope,omitempty"`
+ Scope kubebindv1alpha2.InformerScope `json:"scope"`

contrib/kcp/deploy/resources/apiresourceschema-modules.catalog.kube-bind.io.yaml (2)

201-209: Simplify duplicated scope enum.

Two identical enums under allOf are redundant; keep one for clarity.

-            scope:
-              allOf:
-              - enum:
-                - Cluster
-                - Namespaced
-              - enum:
-                - Namespaced
-                - Cluster
+            scope:
+              enum:
+              - Cluster
+              - Namespaced

---

84-90: Polish description grammar (non-functional).

Use “cannot” and “a service”.

-                      Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
-                      not provided by an service binding export.
+                      Note: you cannot ask for permissions for a resource provided by a CRD
+                      not provided by a service binding export.

Also applies to: 170-186

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Learnt from: mjudeikis
PR: kube-bind/kube-bind#304
File: sdk/apis/kubebind/v1alpha2/boundchema_types.go:49-0
Timestamp: 2025-09-22T13:20:49.952Z
Learning: In kube-bind, BoundSchema.ResourceGroupName() is only used for CRDs (Custom Resource Definitions), and CRDs must always have non-empty API groups. Therefore, handling empty groups (core API group "") is not necessary in this context, unlike general Kubernetes GroupResource handling.

Learnt from: mjudeikis
PR: kube-bind/kube-bind#304
File: sdk/apis/kubebind/v1alpha2/boundchema_types.go:49-0
Timestamp: 2025-09-22T13:20:49.952Z
Learning: In kube-bind, there are two different ResourceGroupName() methods: BoundSchema.ResourceGroupName() for CRDs (always non-empty groups) uses simple fmt.Sprintf formatting, while APIServiceExportRequestResource.ResourceGroupName() for export requests handles empty groups by converting to "core". BoundSchema is exclusively for CRDs which cannot have empty API groups per Kubernetes validation.

Learnt from: mjudeikis
PR: kube-bind/kube-bind#295
File: backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go:140-143
Timestamp: 2025-09-12T08:40:15.290Z
Learning: APIServiceExportRequest resources in kube-bind are short-lived and automatically deleted after 10 minutes, so they should not be used as owner references for longer-lived resources like BoundSchema. The proper lifecycle management for BoundSchema resources created by APIServiceExportRequest is tracked in issue #297.

.coderabbit.yaml (1)

33-34: Fix YAML syntax error: quote strings starting with ! in flow sequences.

The unquoted strings !sdk/client/** and !'**/*.yaml' cause a YAML parse error. In flow sequences (bracket notation), strings starting with ! must be quoted to be treated as literals rather than YAML tag indicators.

Apply this diff to fix the syntax:

  path_filters: [
-   !sdk/client/**,
-   !'**/*.yaml',
+   '!sdk/client/**',
+   '!**/*.yaml',
  ]

cli/pkg/kubectl/bind-apiservice/plugin/servicebindings.go (3)

79-80: Remove namespace field from cluster-scoped APIServiceBinding resource.

APIServiceBinding is a cluster-scoped resource, but line 80 sets Namespace: "kube-bind" in the ObjectMeta. For cluster-scoped resources, the namespace field must be omitted.

Apply this diff:

  ObjectMeta: metav1.ObjectMeta{
    Name:      bindingName,
-   Namespace: "kube-bind",
  },

---

57-57: Message incorrectly implies an update operation.

The message says "Updating existing APIServiceBinding" but the code only validates and returns the existing binding without performing any update.

Apply this diff:

- fmt.Fprintf(b.Options.IOStreams.ErrOut, "✅ Updating existing APIServiceBinding %s.\n", existing.Name)
+ fmt.Fprintf(b.Options.IOStreams.ErrOut, "✅ Reusing existing APIServiceBinding %s.\n", existing.Name)

---

76-107: Replace polling wrapper with single Create call and explicit AlreadyExists handling.

Using wait.PollUntilContextCancel for a single Create operation adds unnecessary complexity. The poll will fail immediately on error anyway. Instead, perform a single Create call and handle concurrent creation via the AlreadyExists error.

Apply this diff:

- // Create new APIServiceBinding
- var created *kubebindv1alpha2.APIServiceBinding
- if err := wait.PollUntilContextCancel(ctx, 1*time.Second, false, func(ctx context.Context) (bool, error) {
-   created, err = bindClient.KubeBindV1alpha2().APIServiceBindings().Create(ctx, &kubebindv1alpha2.APIServiceBinding{
-     ObjectMeta: metav1.ObjectMeta{
-       Name:      bindingName,
-       Namespace: "kube-bind",
-     },
-     Spec: kubebindv1alpha2.APIServiceBindingSpec{
-       KubeconfigSecretRef: kubebindv1alpha2.ClusterSecretKeyRef{
-         LocalSecretKeyRef: kubebindv1alpha2.LocalSecretKeyRef{
-           Name: secretName,
-           Key:  "kubeconfig",
-         },
-         Namespace: "kube-bind",
-       },
-     },
-   }, metav1.CreateOptions{})
-   if err != nil {
-     return false, err
-   }
-
-   // Best effort status update to have "Pending" in the Ready condition
-   conditions.MarkFalse(created,
-     conditionsapi.ReadyCondition,
-     "Pending",
-     conditionsapi.ConditionSeverityInfo,
-     "Pending",
-   )
-   _, _ = bindClient.KubeBindV1alpha2().APIServiceBindings().UpdateStatus(ctx, created, metav1.UpdateOptions{})
-
-   return true, nil
- }); err != nil {
-   return nil, err
- }
+ // Create new APIServiceBinding
+ created, err := bindClient.KubeBindV1alpha2().APIServiceBindings().Create(ctx, &kubebindv1alpha2.APIServiceBinding{
+   ObjectMeta: metav1.ObjectMeta{
+     Name: bindingName,
+   },
+   Spec: kubebindv1alpha2.APIServiceBindingSpec{
+     KubeconfigSecretRef: kubebindv1alpha2.ClusterSecretKeyRef{
+       LocalSecretKeyRef: kubebindv1alpha2.LocalSecretKeyRef{
+         Name: secretName,
+         Key:  "kubeconfig",
+       },
+       Namespace: "kube-bind",
+     },
+   },
+ }, metav1.CreateOptions{})
+ if apierrors.IsAlreadyExists(err) {
+   // Concurrent creation occurred; fetch and return existing binding
+   existing, err := bindClient.KubeBindV1alpha2().APIServiceBindings().Get(ctx, bindingName, metav1.GetOptions{})
+   if err != nil {
+     return nil, err
+   }
+   return []*kubebindv1alpha2.APIServiceBinding{existing}, nil
+ }
+ if err != nil {
+   return nil, err
+ }
+
+ // Best-effort status update to mark Pending
+ conditions.MarkFalse(created,
+   conditionsapi.ReadyCondition,
+   "Pending",
+   conditionsapi.ConditionSeverityInfo,
+   "Pending",
+ )
+ _, _ = bindClient.KubeBindV1alpha2().APIServiceBindings().UpdateStatus(ctx, created, metav1.UpdateOptions{})

sdk/client/listers/kubebind/v1alpha2/collection.go (1)

45-47: Use plural resource for indexer key (“collections”) to fix lookups.

Singular breaks lister queries. Switch to plural.

 func NewCollectionLister(indexer cache.Indexer) CollectionLister {
-	return &collectionLister{listers.New[*kubebindv1alpha2.Collection](indexer, kubebindv1alpha2.Resource("collection"))}
+	return &collectionLister{listers.New[*kubebindv1alpha2.Collection](indexer, kubebindv1alpha2.Resource("collections"))}
 }

#!/usr/bin/env bash
# Find any listers using singular resource keys.
rg -nP --glob 'sdk/**/listers/**/*.go' '\bResource\("collection"\)|\bResource\("[a-z]+"\)' -C2

docs/content/usage/migration.md (2)

34-37: Fix “mangodb” → “mongodb” in groups/resources and example names.

Use mongodb.com/mongodbs consistently across examples.

-    - group: mangodb.com
+    - group: mongodb.com
@@
-      resource: mangodbs
+      resource: mongodbs
@@
-  name: mangodbs-mangodb-com
+  name: mongodbs-mongodb-com
@@
-    - group: mangodb.com
+    - group: mongodb.com
@@
-      resource: mangodbs
+      resource: mongodbs
@@
-    - group: mangodb.com
+    - group: mongodb.com
@@
-      resource: mangodbs
+      resource: mongodbs

Also applies to: 59-60, 87-90, 143-146, 180-183

---

96-101: Use “back up” (verb), not “backup.”

Minor grammar fix.

-Before starting migration, backup your existing resources:
+Before starting migration, back up your existing resources:

backend/kubernetes/manager.go (2)

168-182: Accept a selector (and/or paging) to avoid unbounded cluster-wide lists.

Listing all Collections without filters can be costly in large clusters. Consider adding a labels.Selector/ListOptions parameter, or filtering server-side.

-func (m *Manager) ListCollections(ctx context.Context, cluster string) (*kubebindv1alpha2.CollectionList, error) {
+func (m *Manager) ListCollections(ctx context.Context, cluster string, selector labels.Selector) (*kubebindv1alpha2.CollectionList, error) {
@@
-    var collections kubebindv1alpha2.CollectionList
-    err = c.List(ctx, &collections)
+    var collections kubebindv1alpha2.CollectionList
+    listOpts := []client.ListOption{}
+    if selector != nil {
+        listOpts = append(listOpts, client.MatchingLabelsSelector{Selector: selector})
+    }
+    err = c.List(ctx, &collections, listOpts...)

---

184-198: Rename GetTemplates → GetTemplate for semantic accuracy.

The namespace concern is resolved: APIServiceExportTemplate is cluster-scoped (scope=Cluster), so the current Get() call without namespace is correct. However, the function name should match its return type—it returns a single template (*kubebindv1alpha2.APIServiceExportTemplate), so rename it to GetTemplate (singular).

contrib/kcp/deploy/resources/apiresourceschema-apiserviceexports.kube-bind.io.yaml (1)

565-586: Pluralization nit in description for namedResources.

The field is named namedResources (plural) but the description uses singular “NamedResource”. Align wording.

-                      namedResources:
-                        description: NamedResource is a shorthand for selecting a
-                          single resource by name and namespace.
+                      namedResources:
+                        description: NamedResources is a shorthand for selecting one or more
+                          resources by name and namespace. Each item selects a single resource.

contrib/kcp/deploy/resources/apiresourceschema-apiserviceexporttemplates.kube-bind.io.yaml (2)

141-162: Pluralization nit in description for namedResources.

Same wording issue as elsewhere; use plural for field-level description.

-                      namedResources:
-                        description: NamedResource is a shorthand for selecting a
-                          single resource by name and namespace.
+                      namedResources:
+                        description: NamedResources is a shorthand for selecting one or more
+                          resources by name and namespace. Each item selects a single resource.

---

200-209: Redundant enum duplication for scope.

allOf with two identical enums is redundant. Prefer a single enum for clarity.

-            scope:
-              allOf:
-              - enum:
-                - Cluster
-                - Namespaced
-              - enum:
-                - Namespaced
-                - Cluster
-              description: scope defines the scope of the resources in this template.
-              type: string
+            scope:
+              description: scope defines the scope of the resources in this template.
+              type: string
+              enum:
+              - Cluster
+              - Namespaced

sdk/apis/kubebind/v1alpha2/apiserviceexporttemplate_types.go (1)

58-63: Minor: required field tagged omitempty.

Spec.Scope is required but uses json:"scope,omitempty". Safe, but consider dropping omitempty to always serialize it.

deploy/crd/kube-bind.io_apiserviceexporttemplates.yaml (1)

202-211: CRD scope and schema look good.

Minor nit: scope has duplicated enum entries via allOf; harmless generator artefact. No action needed.

backend/http/handler.go (1)

526-548: Nit: local var shadows imported package name; fix typo in comment.

Rename local template to tmpl and fix “consutruct” → “construct” for clarity.

Apply this diff:

-// 2. Get modules from the backend cluster and consutruct shallow-bound schemas (no crd content).
+// 2. Get modules from the backend cluster and construct shallow-bound schemas (no CRD content).
@@
-	for _, collection := range collections.Items {
-		for _, t := range collection.Spec.Templates {
-			template, err := h.kubeManager.GetTemplates(ctx, cluster, t.Name)
+	for _, collection := range collections.Items {
+		for _, t := range collection.Spec.Templates {
+			tmpl, err := h.kubeManager.GetTemplates(ctx, cluster, t.Name)
 			if err != nil {
 				return nil, fmt.Errorf("failed to get template %q: %w", t.Name, err)
 			}
-			templates.Items = append(templates.Items, *template)
+			templates.Items = append(templates.Items, *tmpl)
 		}
 	}

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Learnt from: mjudeikis
PR: kube-bind/kube-bind#304
File: sdk/apis/kubebind/v1alpha2/boundchema_types.go:49-0
Timestamp: 2025-09-22T13:20:49.952Z
Learning: In kube-bind, there are two different ResourceGroupName() methods: BoundSchema.ResourceGroupName() for CRDs (always non-empty groups) uses simple fmt.Sprintf formatting, while APIServiceExportRequestResource.ResourceGroupName() for export requests handles empty groups by converting to "core". BoundSchema is exclusively for CRDs which cannot have empty API groups per Kubernetes validation.

Learnt from: mjudeikis
PR: kube-bind/kube-bind#295
File: backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go:140-143
Timestamp: 2025-09-12T08:40:15.290Z
Learning: APIServiceExportRequest resources in kube-bind are short-lived and automatically deleted after 10 minutes, so they should not be used as owner references for longer-lived resources like BoundSchema. The proper lifecycle management for BoundSchema resources created by APIServiceExportRequest is tracked in issue #297.

backend/template/resources.gohtml (1)

14-133: Consider extracting inline CSS to an external stylesheet.

The 119 lines of inline CSS could be extracted to a separate stylesheet for better maintainability, reusability, and testability. However, since this is described as a skeleton implementation, this refactor can be deferred.

backend/http/handler.go (1)

535-548: Consider optimizing template fetching to reduce API calls.

The current implementation makes N+1 API calls (one ListCollections followed by one GetTemplates per template). While acceptable for a skeleton implementation, consider batch-fetching templates in the future to improve performance.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Learnt from: mjudeikis
PR: kube-bind/kube-bind#304
File: sdk/apis/kubebind/v1alpha2/boundchema_types.go:49-0
Timestamp: 2025-09-22T13:20:49.952Z
Learning: In kube-bind, there are two different ResourceGroupName() methods: BoundSchema.ResourceGroupName() for CRDs (always non-empty groups) uses simple fmt.Sprintf formatting, while APIServiceExportRequestResource.ResourceGroupName() for export requests handles empty groups by converting to "core". BoundSchema is exclusively for CRDs which cannot have empty API groups per Kubernetes validation.

docs/content/usage/migration.md (2)

34-37: Fix typo: "mangodb" → "mongodb" (flagged in prior review).

These examples still use the incorrect API group and resource names. This was previously flagged but remains unresolved.

Apply this diff to fix all instances:

--- migration.md (lines 34-36)
- group: mangodb.com
+ group: mongodb.com
  version: v1alpha1
- resource: mangodbs
+ resource: mongodbs

--- migration.md (line 59)
- name: mangodbs-mangodb-com
+ name: mongodbs-mongodb-com

--- migration.md (lines 87-89)
- group: mangodb.com
+ group: mongodb.com
  version: v1alpha1
- resource: mangodbs
+ resource: mongodbs

--- migration.md (lines 143-145)
- group: mangodb.com
+ group: mongodb.com
  version: v1alpha1
- resource: mangodbs
+ resource: mongodbs

--- migration.md (lines 180-182)
- group: mangodb.com
+ group: mongodb.com
  version: v1alpha1
- resource: mangodbs
+ resource: mongodbs

Also applies to: 59-60, 87-90, 143-146, 180-183

---

94-102: Fix verb form: "backup" → "back up" (flagged in prior review).

The verb form must be two words. This was previously flagged but remains unresolved.

Apply this diff:

- ### 1. Backup Existing Resources
+ ### 1. Back Up Existing Resources

- Before starting migration, backup your existing resources:
+ Before starting migration, back up your existing resources:
  
  ```bash
- # Backup APIServiceExports
+ # Back up APIServiceExports
  kubectl get apiserviceexports -o yaml > apiserviceexports-backup.yaml
  
- # Backup APIServiceBindings
+ # Back up APIServiceBindings
  kubectl get apiservicebindings -o yaml > apiservicebindings-backup.yaml
  
- # Backup bound CRDs
+ # Back up bound CRDs
  kubectl get crds -l kube-bind.io/bound-crd=true -o yaml > bound-crds-backup.yaml

Also applies to: 105-105

cli/pkg/kubectl/bind-apiservice/plugin/servicebindings.go (1)

74-107: PollUntilContextCancel is unnecessary and concurrent creates are unhandled

A previous review comment suggested removing wait.PollUntilContextCancel and handling AlreadyExists explicitly (marked as "✅ Addressed"), but the current code still uses it. The Poll always returns true on first iteration (line 104), making it a pointless wrapper. More critically, if two concurrent callers both see NotFound at line 49, both will attempt Create, and the second will fail with AlreadyExists (not handled).

Apply this diff to fix:

-	// Create new APIServiceBinding
-	var created *kubebindv1alpha2.APIServiceBinding
-	if err := wait.PollUntilContextCancel(ctx, 1*time.Second, false, func(ctx context.Context) (bool, error) {
-		created, err = bindClient.KubeBindV1alpha2().APIServiceBindings().Create(ctx, &kubebindv1alpha2.APIServiceBinding{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: bindingName,
-			},
-			Spec: kubebindv1alpha2.APIServiceBindingSpec{
-				KubeconfigSecretRef: kubebindv1alpha2.ClusterSecretKeyRef{
-					LocalSecretKeyRef: kubebindv1alpha2.LocalSecretKeyRef{
-						Name: secretName,
-						Key:  "kubeconfig",
-					},
-					Namespace: "kube-bind",
-				},
-			},
-		}, metav1.CreateOptions{})
-		if err != nil {
-			return false, err
-		}
-
-		// Best effort status update to have "Pending" in the Ready condition
-		conditions.MarkFalse(created,
-			conditionsapi.ReadyCondition,
-			"Pending",
-			conditionsapi.ConditionSeverityInfo,
-			"Pending",
-		)
-		_, _ = bindClient.KubeBindV1alpha2().APIServiceBindings().UpdateStatus(ctx, created, metav1.UpdateOptions{})
-
-		return true, nil
-	}); err != nil {
-		return nil, err
-	}
+	// Create new APIServiceBinding
+	created, err := bindClient.KubeBindV1alpha2().APIServiceBindings().Create(ctx, &kubebindv1alpha2.APIServiceBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: bindingName,
+		},
+		Spec: kubebindv1alpha2.APIServiceBindingSpec{
+			KubeconfigSecretRef: kubebindv1alpha2.ClusterSecretKeyRef{
+				LocalSecretKeyRef: kubebindv1alpha2.LocalSecretKeyRef{
+					Name: secretName,
+					Key:  "kubeconfig",
+				},
+				Namespace: "kube-bind",
+			},
+		},
+	}, metav1.CreateOptions{})
+	if apierrors.IsAlreadyExists(err) {
+		// Concurrent create; fetch existing
+		existing, err := bindClient.KubeBindV1alpha2().APIServiceBindings().Get(ctx, bindingName, metav1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+		return []*kubebindv1alpha2.APIServiceBinding{existing}, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Best-effort status update
+	conditions.MarkFalse(created,
+		conditionsapi.ReadyCondition,
+		"Pending",
+		conditionsapi.ConditionSeverityInfo,
+		"Pending",
+	)
+	_, _ = bindClient.KubeBindV1alpha2().APIServiceBindings().UpdateStatus(ctx, created, metav1.UpdateOptions{})

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro